Incoming NASS leader rejects Democrats’ election security bill

Editor's Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. To learn more about POLITICO Pro's comprehensive policy intelligence coverage, policy tools and services, click here.

QUICK FIX

Story Continued Below

— A House Democratic legislative proposal on election security has picked up a formidable enemy. The incoming president of the National Association of Secretaries of State called the bill “a huge federal overreach.”

— Georgia’s election security commission is moving to adopt an electronic voting system despite advice of its own cyber expert to use paper ballots. The commission also rejected other cybersecurity-related suggestions.

— The government shutdown is rendering federal agencies’ websites insecure. Expiring certificates are also making some sites inaccessible.

Election Security

NO WAY JOSE — The next president of the NASS has strong words for House Democrats considering a range of election security measures: Butt out.

H.R. 1, a Democratic grab-bag bill with election security provisions, “seems to be a huge federal overreach,” Iowa Secretary of State Paul Pate told POLITICO. “No matter how well-intentioned, the provisions of the bill give the authority of overseeing and conducting elections and voter registration to the federal government.” (In fact, the bill would not do this.) Pate’s remarks, first reported by National Journal, mirror comments by former Georgia Secretary of State Paul Kemp in August 2016.

Pate cited NASS’s long-standing opposition to federal mandates for election procedures — in October, the group warned against tying federal funds to regulations — and said state election offices like his are “better prepared than the federal government to determine what is right for their residents.”

Despite Pate’s suggestion that “our country’s legal and historical distinctions in federal and state sovereignty” invest states with the exclusive authority to regulate elections, Article I Section 4 of the Constitution empowers Congress to “at any time by Law make or alter” election processes.

PEACH STATE BLUES — Georgia’s voting security commission on Thursday endorsed an electronic voting system over paper ballots after a meeting in which commission members routinely overrode suggestions of the group’s lone cybersecurity expert. The vote to approve recommendations to the state legislature was 13-3, with the expert, Dr. Wenke Lee of Georgia Tech, among the dissenters. Lee proposed several amendments based on the consensus view of cyber experts, including a provision explaining that expertsfavor paper ballots processed by optical scanners over ballot-marking devices, which process voters’ decisions electronically and generate paper slips showing those choices. But the Republican-led commission rejected most of them. (Asked for comment, Lee pointed to a blog post he wrote. The final recommendations have not yet been posted.)

Georgia’s woefully insecure election technology grabbed the spotlight during the 2016 and 2018 elections, when the Peach State was one of five to rely exclusively on paperless machines. As mentioned above, Kemp, elected governor in November, spent years blasting the federal government over its increasing involvement in election security. But facing mounting pressure from election integrity advocates and security experts, he created a commission to guide state lawmakers in replacing the paperless machines.

Georgians testifying before the commission overwhelmingly argued for paper ballots. Some of them grew emotional as they described Georgia’s insecure machines as a source of national embarrassment and urged the commission to chart a better future for the state. While ballot-marking devices sound secure because they involve paper records, if hackers compromise the devices, they can manipulate votes printed on the slips, which voters often fail to verify. Hackers can also manipulate the barcodes on the slips, which are the official vote records, so they display differently from the accompanying text.

ANOTHER SHUTDOWN CASUALTY— Government websites are becoming inaccessible or insecure as certificates expire. Netcraft, which noticed the phenomenon, found 80 sites with expired certificates, since they aren’t being renewed due to the shutdown. "As more and more certificates used by government websites inevitably expire over the following days, weeks — or maybe even months — there could be some realistic opportunities to undermine the security of all U.S. citizens," Paul Mutton wrote on Thursday.

HOTEL SECURITY— A bevy of law firms filed a lawsuit Thursday on behalf of people in all 50 states over Marriott’s massive data breach that affected nearly 400 million customers. “It is difficult to comprehend how Marriott did not discover a data breach of this size during the course of its due diligence efforts in conjunction with its 2016 Starwood acquisition,” said Amy Keller, a partner with DiCello Levitt. “Marriott has completely failed its customers and it is disingenuous for the company to attempt to downplay the seriousness of this breach.” Besides DiCello Levitt, the other firms involved are Hausfeld; Cohen Milstein Sellers & Toll; Cohen & Gresser; and Kramon & Graham. Also this week, Hyatt announced a bug bounty program.

RECENTLY ON PRO CYBERSECURITY— The FBI Agents Association warned that agents might begin quitting over the government shutdown. … Former Donald Trump attorney Michael Cohen will testify before the House Oversight Committee. … Trump denied knowing about former campaign manager Paul Manafort’s correspondence with an associate with ties to the Russian government.

TWEET OF THE DAY — A lot of cyber insurance purchases may soon seem really hasty.

REPORT WATCH

— More than half of those polled expect security incidents in the cloud to increase this year, according to a survey out today from the Cloud Security Alliance. Sixty percent of respondents said they would consider the cloud service provider responsible for a breach.

About The Author : Tim Starks

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball — he is from Indiana, after all — and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk.